Merge pull request #41919 from Cynerva/gkk/kubelet-auth

Automatic merge from submit-queue (batch tested with PRs 41919, 41149, 42350, 42351, 42285) Juju: Disable anonymous auth on kubelet **What this PR does / why we need it**: This disables anonymous authentication on kubelet when deployed via Juju. I've also adjusted a few other TLS options for kubelet and kube-apiserver. The end result is that: 1. kube-apiserver can now authenticate with kubelet 2. kube-apiserver now verifies the integrity of kubelet **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/219 **Special notes for your reviewer**: This is dependent on PR #41251, where the tactics changes are being merged in separately. Some useful pages from the documentation: * [apiserver -> kubelet](https://kubernetes.io/docs/admin/master-node-communication/#apiserver---kubelet) * [Kubelet authentication/authorization](https://kubernetes.io/docs/admin/kubelet-authentication-authorization/) **Release note**: ```release-note Juju: Disable anonymous auth on kubelet ```
2017-03-03 16:44:37 -08:00
parent 98eae9b222 27504d8aca
commit 5b8d600d72
3 changed files with 40 additions and 15 deletions
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@@ -252,7 +252,7 @@ def idle_status():


@when('etcd.available', 'kubernetes-master.components.installed',
-      'certificates.server.cert.available')
+      'certificates.server.cert.available', 'authentication.setup')
@when_not('kubernetes-master.components.started')
 def start_master(etcd, tls):
    '''Run the Kubernetes master components.'''
@@ -685,6 +685,8 @@ def render_files():
    # Get the tls paths from the layer data.
    layer_options = layer.options('tls-client')
    ca_cert_path = layer_options.get('ca_certificate_path')
+    client_cert_path = layer_options.get('client_certificate_path')
+    client_key_path = layer_options.get('client_key_path')
    server_cert_path = layer_options.get('server_certificate_path')
    server_key_path = layer_options.get('server_key_path')

@@ -694,6 +696,9 @@ def render_files():
    api_opts.add('--client-ca-file', ca_cert_path)
    api_opts.add('--tls-cert-file', server_cert_path)
    api_opts.add('--tls-private-key-file', server_key_path)
+    api_opts.add('--kubelet-certificate-authority', ca_cert_path)
+    api_opts.add('--kubelet-client-certificate', client_cert_path)
+    api_opts.add('--kubelet-client-key', client_key_path)

    scheduler_opts.add('--v', '2')